Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-02-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe
Resource
win10v20201028
General
-
Target
07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe
-
Size
78KB
-
MD5
ec1f806b2ca57c3c03be303890c6fd65
-
SHA1
7d48e0cb19d60dfe2a3a04aef63c57482a024c97
-
SHA256
07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8
-
SHA512
78d31f7738d47a65952ee6315f4a3ab25f35d47eed4b4832fbfe890c1b286dca1ae42dc9721b5ffa6a0ff3c0576bf621964d384d977b2851433e20538b57f0d6
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
pid Process 708 tmp2D11.tmp.exe -
Deletes itself 1 IoCs
pid Process 708 tmp2D11.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\"" tmp2D11.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4684 07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe Token: SeDebugPrivilege 708 tmp2D11.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4684 wrote to memory of 992 4684 07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe 74 PID 4684 wrote to memory of 992 4684 07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe 74 PID 4684 wrote to memory of 992 4684 07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe 74 PID 992 wrote to memory of 3676 992 vbc.exe 76 PID 992 wrote to memory of 3676 992 vbc.exe 76 PID 992 wrote to memory of 3676 992 vbc.exe 76 PID 4684 wrote to memory of 708 4684 07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe 78 PID 4684 wrote to memory of 708 4684 07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe 78 PID 4684 wrote to memory of 708 4684 07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe"C:\Users\Admin\AppData\Local\Temp\07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\smhk2iid.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5573FE4A52444FFBB16DCE4035DE28F1.TMP"3⤵PID:3676
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2D11.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2D11.tmp.exe" C:\Users\Admin\AppData\Local\Temp\07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:708
-